b'                                                                       United States Department of State\n                                                                       and the Broadcasting Board of Governors\n\n                                                                       Office of Inspector General\n\n\n                                                                                 JUN 11 2014\n\n\n\n\nMr. Andre Mendes\nDirector of Global Operations\nBroadcasting Board of Governors\n330 Independence Avenue SW, Room 3360\nWashington, DC 20237\n\nDear Mr. Mendes:\n\nSubject: Report on FY 2013 Risk Assessment of Travel and Purchase Card Programs at the\n         Broadcasting Board a/Governors (AUD-CG-IB-14-28)\n\nThe Government Charge Card Abuse Prevention Act of 20li (the Act) requires the Office of\nInspector General (OIG) to conduct periodic assessments of agency purchase and travel card\nprograms that identify and analyze risks of illegal, improper, or erroneous purchases and\npayments for use in determining the scope, frequency, and number of periodic audits of these\nprograms. The FY 2013 risk assessment was the first such review conducted of the travel and\npmchase card programs of the Broadcasting Board of Governors (BBG). Travel and purchase\ncard program size, internal controls, training, reported violations,2 previous OIG audits, and OIG\nOffice oflnvestigations (OIG/INV) forensic audit observations were considered in assessing the\nrisks.\n\nThe ri sk assessment was not an audit and therefore not conducted in accordance with generally\naccepted government auditing standards. The results of the risk assessment should not be\ninterpreted to conclude that travel and purchase card programs with lower risk are free of illegal,\nimproper, or erroneous use or internal control deficiencies. Conversely, a higher-risk program\nmay not necessarily signify illegal, improper, or erroneous use- only that conditions are\nconducive to those activities. Regardless of the ri sk assessment results, if the travel and purchase\ncard programs were to be audited, a team may identify such issues through independent testing\nof travel and purchase card data. For example, a purchase card program may be found to be\n"very low risk" based on documentation and other information provided by agency officials, the\nnumber of cardholders, and the total amount of purchase card expenditures. However, an audit\nof that purchase card program may determine that the controls outlined in an agency\'s policy are\nnot being followed and that illegal, improper, or erroneous activity is occurring. The risk\nassessment was designed to identify the programs where the OIG Office of Audits should focus\nits limited resources.\n\n1\n Pub. L. No. I 12-l94.\n2\n Reported violations are applicable only to purchase card programs. Violations are required to be reported if the\nagency spends more than$ I 0 million annually.\n\n                                               UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\nThe results of the assessment show that the risk of illegal, improper, or erroneous use in the BBG\ntravel card program is \xe2\x80\x9cmedium\xe2\x80\x9d and for the purchase card program is \xe2\x80\x9cvery low.\xe2\x80\x9d As a result,\naudits of the programs were not recommended for inclusion in the OIG FY 2015 annual audit\nplan. 3\n\n                                      Scope and Methodology\n\nOIG\xe2\x80\x99s Office of Audits performed this risk assessment from March to May 2014. The objective\nwas to assess the risk of illegal, improper, and erroneous use of the purchase and travel card\nprograms to determine the scope, frequency, and number of audits recommended to be\nconducted. The assessment was conducted using industry standard principles for risk\nmanagement. 4 The risk assessment was conducted by Melinda M. Perez, Director, Contracts and\nGrants Division, and Beverly J.C. O\xe2\x80\x99Neill, Audit Manager, Contracts and Grants Division.\n\nAssessment Criteria\n\nTo conduct the risk assessment, OIG reviewed FY 2013 charge card data, documentation, and\ninformation provided by BBG officials; however, OIG did not independently verify or validate\nthe data obtained from agency officials. We assessed the travel card program based on four\ncriteria and the purchase card program on five criteria. The criteria are described in the\nparagraphs that follow.\n\n        Internal Controls. Using the criteria identified in the Act and Office of Management\nand Budget (OMB) Circular No. A-123, 5 internal controls were assessed for the travel card and\npurchase card programs. The travel card program was assessed for 28 general controls and 18\ncontrols specific to travel card programs (46 total controls), and the purchase card program was\nassessed for the same 28 general controls and 29 controls specific to purchase card programs (57\ntotal controls). A rating of \xe2\x80\x9clower,\xe2\x80\x9d \xe2\x80\x9cmedium,\xe2\x80\x9d or \xe2\x80\x9chigher\xe2\x80\x9d was assigned based on documented\ncompliance with required controls.\n\n        Training. The travel card and purchase card programs were assigned a rating of \xe2\x80\x9clower,\xe2\x80\x9d\n\xe2\x80\x9cmedium,\xe2\x80\x9d or \xe2\x80\x9chigher\xe2\x80\x9d based on the availability of training and the incorporation of training in\npolicy for each program.\n\n        Previous OIG Audits. Results of previous audits, as well as the statuses of\nimplementation of recommendations, were reviewed for the travel card and purchase card\nprograms. A program that had not been audited was assigned a \xe2\x80\x9chigher\xe2\x80\x9d rating, and the same\nrating was assigned for an audit that had been conducted more than 10 years ago. A \xe2\x80\x9clower\xe2\x80\x9d\n\n3\n  The results of the risk assessment do not preclude OIG from reviewing BBG\xe2\x80\x99s travel card or purchase card\nprograms during FY 2015 or at any other time.\n4\n  \xe2\x80\x9cEnterprise Risk Management \xe2\x80\x93 Integrated Framework Executive Summary,\xe2\x80\x9d Committee of Sponsoring\nOrganizations of the Treadway Commission, Sept. 2004, and \xe2\x80\x9cRisk Assessment in Practice,\xe2\x80\x9d Deloitte & Touche\nLLP, Oct. 2012.\n5\n  OMB Circular No. A-123, \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for Internal Control,\xe2\x80\x9d App. B, \xe2\x80\x9cImproving the\nManagement of Government Charge Card Programs,\xe2\x80\x9d Jan. 15, 2009.\n                                                 2\n                                            UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\nrating was assigned when a program had been recently audited and recommendations had been\nimplemented. A \xe2\x80\x9cmedium\xe2\x80\x9d rating was assigned for programs that had been audited recently but\nfor which recommendations had not been fully implemented. The ratings were mitigated if\ndocumentation of meaningful internal reviews (conducted by the agency) was provided.\n\n        OIG/INV Forensic Audit Observation. Ratings of \xe2\x80\x9clower,\xe2\x80\x9d \xe2\x80\x9cmedium,\xe2\x80\x9d or \xe2\x80\x9chigher\xe2\x80\x9d\nwere assigned for each travel card and purchase card program based on input from OIG/INV\nforensic auditors. We met with the OIG/INV forensic audit manager to discuss the progress in\nusing data mining to review travel card and purchase card transactions for BBG. The\ninformation provided by OIG/INV may have included results of its analyses and interviews with\nthe agency officials responsible for the travel and purchase card programs. Details related to\neach program are described in the Results of Risk Assessment section of this report.\n\n       Violation Reports. Violation reports were considered only for the purchase card\nprogram, as these reports are required when a purchase card program spends more than\n$10 million per year. 6 A rating of \xe2\x80\x9clower\xe2\x80\x9d was assigned if a report was provided and a lower\nnumber of violations had been reported. 7\n\nImpact and Likelihood\n\nImpact refers to the extent to which a risk event might affect BBG, and likelihood represents the\npossibility that a given event might occur. We used the dollars spent in each travel card and\npurchase card program to determine an impact rating of \xe2\x80\x9clower,\xe2\x80\x9d \xe2\x80\x9cmedium,\xe2\x80\x9d or \xe2\x80\x9chigher\xe2\x80\x9d and the\nnumber of cardholders in each program to determine a likelihood rating of \xe2\x80\x9clower,\xe2\x80\x9d \xe2\x80\x9cmedium,\xe2\x80\x9d\nor \xe2\x80\x9chigher.\xe2\x80\x9d The rating criteria are shown in Table 1.\n\n               Table 1. Impact and Likelihood Ratings\n                     Rating                    Impact                        Likelihood\n                 Lower                Less than $1 million           Fewer than 250 cardholders\n                 Medium               $1 million to $10 million      250 to 500 cardholders\n                 Higher               More than $10 million          More than 500 cardholders\n                Source: OIG developed based on review of multiple sources, including industry standard\n                principles for risk management.\n\nThe impact and likelihood ratings were compared to determine a single \xe2\x80\x9cfactor\xe2\x80\x9d that was used in\nthe final overall risk assessment for the travel card and purchase card programs. We plotted the\nimpact and likelihood ratings on a chart known as a \xe2\x80\x9cheat map,\xe2\x80\x9d which depicts the intersections\nof the lower, medium, and higher ratings, to determine a rating for the impact and likelihood\nfactor. The heat map is shown in Table 2.\n\n\n\n\n6\n OMB M-13-21, \xe2\x80\x9cImplementation of the Government Charge Card Abuse Prevention Act of 2012,\xe2\x80\x9d Sept. 6, 2013.\n7\n BBG\xe2\x80\x99s purchase card program did not meet the minimum requirements for reporting violations and was therefore\ngiven a rating of \xe2\x80\x9cn/a,\xe2\x80\x9d as shown in the Results of Risk Assessment section of this report.\n                                                  3\n                                             UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n                Table 2. Impact and Likelihood Factor Heat Map\n                                                                       Factor\n                                    Higher          Medium             High        Very High\n                     Impact\n                                    Medium            Low            Medium          High\n                     Rating\n                                    Lower           Very Low           Low          Medium\n                                                     Lower           Medium         Higher\n                                                                 Likelihood Rating\n                Source: OIG developed based on review of industry standard principles for risk management.\n\nFinal Risk Assessment\n\nOIG combined the individual criteria ratings to form an overall combined rating and used this\nrating with the impact and likelihood factor to determine the final risk assessments for BBG\xe2\x80\x99s\ntravel and purchase card programs. Specifically, we used the final assessment heat map shown\nin Table 3 to arrive at the overall risk assessment ratings.\n\n                Table 3. Final Assessment Heat Map\n                                                                    Final Rating\n                                    Very High       Medium             High             Very High\n                   Impact and       High            Medium             High             Very High\n                   Likelihood       Medium           Low              Medium               High\n                     Factor         Low            Very Low             Low              Medium\n                                    Very Low       Very Low             Low              Medium\n                                                     Low              Medium               High\n                                                            Combined Criteria Rating\n                 Source: OIG developed based on review of industry standard principles for risk management.\n\n\n                                     Results of Risk Assessment\n\nThe results of the assessment show that the risk of illegal, improper, or erroneous use in BBG\xe2\x80\x99s\ntravel card program is \xe2\x80\x9cmedium\xe2\x80\x9d and for the purchase card program is \xe2\x80\x9cvery low.\xe2\x80\x9d As a result,\naudits of the programs were not recommended for inclusion in the OIG FY 2015 annual audit\nplan. 8 Although audits of the programs are not planned, OIG suggests that both travel card and\npurchase card program managers take appropriate actions to ensure and improve oversight of the\nprograms. The individual program results are described in the sections that follow.\n\nBroadcasting Board of Governors Travel Card\n\n        Criteria Ratings. According to documentation and information provided by the BBG\ntravel card office, OIG determined that the travel card program\xe2\x80\x99s compliance with required\ninternal controls was generally good\xe2\x80\x94overall 98 percent were in compliance (45 of 46 controls),\nto include 94 percent in compliance (17 of 18 controls) with travel card-specific controls,\nresulting in a rating of \xe2\x80\x9clower\xe2\x80\x9d for this criterion. The availability of training and incorporation of\n8\n The results of the risk assessment do not preclude OIG from reviewing BBG\xe2\x80\x99s travel card or purchase card\nprograms during FY 2015 or at any other time.\n                                                  4\n                                             UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\ntraining in policy were rated \xe2\x80\x9clower\xe2\x80\x9d because the travel card office provided detailed\ndocumentation and policies regarding the required training for program participants. The BBG\ntravel card program has not been audited by OIG. However, BBG travel card procedures were\nincluded in a 2013 OIG inspection 9 that resulted in a recommendation for improvements to be\nmade to the program. That recommendation is in the process of being implemented and has not\nbeen closed; therefore, the program was rated \xe2\x80\x9cmedium\xe2\x80\x9d for this criterion. OIG/INV forensic\nauditors had only recently received access to the BBG travel card data and had not made any\nobservations for consideration in this assessment. Because of this limited information, a rating\nof \xe2\x80\x9cmedium\xe2\x80\x9d was assigned to the program for this criterion. The individual criteria ratings and\noverall combined rating are shown in Table 4.\n\n                 Table 4. Criteria Summary\n                             Criteria                            Rating\n                  Internal Controls                              Lower\n                  Training                                       Lower\n                  Prior OIG Audits                               Medium\n                  OIG/INV Input                                  Medium\n                  Combined                                        Low\n                 Source: OIG generated based on analysis of information and documentation\n                 as described in the Scope and Methodology section of this report.\n\n       Impact and Likelihood Factor. The BBG travel card office reported that in FY 2013,\nBBG spent a total of $2.3 million (a breakdown of centrally billed accounts (CBA) and\nindividually billed accounts (IBA) was not provided), which was attributed to 651 cardholders (6\nCBAs and 645 IBAs). The impact and likelihood factor, shown in Table 5, raised the risk\nassociated with the BBG travel card program.\n\n                  Table 5. Impact and Likelihood Factor\n                                                                     Rating\n                  Impact              $2.3 million                   Medium\n                  Likelihood          651 cardholders                Higher\n                  Factor                                  High\n                  Source: OIG generated based on analysis of information and documentation\n                  as described in the Scope and Methodology section of this report.\n\n        Final Risk Assessment. The final determination of risk of illegal, improper, or\nerroneous use in the BBG travel card program was \xe2\x80\x9cmedium.\xe2\x80\x9d An audit of BBG\xe2\x80\x99s travel card\nprogram was not recommended for inclusion in the OIG FY 2015 annual audit plan; 10 however,\nOIG suggests that the travel card program manager take appropriate actions to ensure and\nimprove oversight of the program. The OIG FY 2014 risk assessment will carefully consider the\nprogress of OIG/INV forensic auditors\xe2\x80\x99 data mining efforts and the status of implementation of\nthe outstanding OIG inspection recommendation.\n\n\n9\n Inspection of U.S. International Broadcasting to Russia (ISP-IB-13-50, Sept. 2013).\n10\n  The results of the risk assessment do not preclude OIG from reviewing BBG\xe2\x80\x99s travel card program during\nFY 2015 or at any other time.\n                                                  5\n                                             UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\nBroadcasting Board of Governors Purchase Card\n\n        Criteria Ratings. According to documentation and information provided by the BBG\npurchase card office, OIG determined that purchase card program compliance with required\ninternal controls was generally good\xe2\x80\x94overall 95 percent were in compliance (54 of 57 controls),\nto include 90 percent in compliance (26 of 29 controls) with purchase card-specific controls,\nresulting in a rating of \xe2\x80\x9clower\xe2\x80\x9d for this criterion. The availability of training and the\nincorporation of training in BBG policy were rated \xe2\x80\x9clower\xe2\x80\x9d because the purchase card office\nprovided detailed documentation and policies regarding the required training for program\nparticipants. The last audit of the BBG purchase card program was conducted in 2005 (reported\nin August 2006), 11 and all of the recommendations have since been closed. In addition, BBG\nprovided documentation of internal reviews that were conducted that mitigated the risk and\ndropped the rating for this criterion to \xe2\x80\x9clower.\xe2\x80\x9d OIG/INV forensic auditors had only recently\nreceived access to the BBG purchase card data and had not made any observations for\nconsideration in this assessment. Because of this limited information, a rating of \xe2\x80\x9cmedium\xe2\x80\x9d was\nassigned to the program for this criterion. The BBG purchase card program did not meet the\nreporting requirements for violations and was therefore not rated on this criterion. The\nindividual criteria ratings and overall combined rating are shown in Table 6.\n\n                   Table 6. Criteria Summary\n                               Criteria                           Rating\n                    Internal Controls                             Lower\n                    Training                                      Lower\n                    Prior OIG Audits                              Lower\n                    OIG/INV Input                                 Medium\n                    Violation Report                               n/a\n                    Combined                                       Low\n                    Source: OIG generated based on analysis of information and documentation\n                    as described in the Scope and Methodology section of this report.\n\n       Impact and Likelihood Factor. The BBG purchase card office reported that in\nFY 2013, BBG spent approximately $5.3 million, which was attributed to 91 cardholders. The\nimpact and likelihood factor, shown in Table 7, reduced the risk associated with the BBG\npurchase card program.\n\n                   Table 7. Impact and Likelihood Factor\n                                                                      Rating\n                    Impact             $5.3 million                   Medium\n                    Likelihood         91 cardholders                 Lower\n                    Factor                                  Low\n                    Source: OIG generated based on analysis of information and documentation\n                    as described in the Scope and Methodology section of this report.\n\n       Final Risk Assessment. The final determination of risk of illegal, improper, or\nerroneous use in the BBG purchase card program was \xe2\x80\x9cvery low.\xe2\x80\x9d An audit of BBG\xe2\x80\x99s purchase\n\n11\n     Review of the Broadcasting Board of Governors Purchase Card Program (AUD/IB-06-15, Aug. 2006).\n                                                   6\n                                              UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n                                                                                                     12\ncard program was not recommended for inclusion in the OIG FY 2015 annual audit plan;\nhowever, OIG suggests that the purchase card program manager take appropriate actions to\nensure and improve oversight of the program. The OIG FY 2014 risk assessment will carefully\nconsider the progress of OIG/INV forensic auditors\' data mining efforts.\n\nThis report was provided for informational purposes, and a response is not required. OIG\nappreciates the cooperation and assistance provided by your staff during this risk assessment. If\nyou have any questions please contact me by email at~ or Melinda M. Perez,\n                                                     [Redacted] (b) (6)\n\n\nDivision Director, by email at~.\n                              [Redacted] (b) (6)\n\n\n\n\nSincerely,\n\nfJv-~\nNorman P. Brown\nAssistant Inspector General\n for Audits\n\ncc: IBB/OCFO - Salina James\n    IBB/OPR - Susan Andross\n\n\n\n\n12\n The results of the ri sk assessment do not preclude OIG from reviewing BBG\'s purchase card program during\nFY 20 15 or at any other time.\n                                                  7\n                                             UNCLASSIFIED\n\x0c'